[thirdparty/kernel/stable-queue.git] / releases / 4.14.129 / infiniband-fix-race-condition-between-infiniband-mlx4-mlx5-driver-and-core-dumping.patch

From akaher@vmware.com  Thu Jun 20 16:25:33 2019
From: Ajay Kaher <akaher@vmware.com>
Date: Tue, 11 Jun 2019 02:22:17 +0530
Subject: infiniband: fix race condition between infiniband mlx4, mlx5  driver and core dumping
To: <aarcange@redhat.com>, <jannh@google.com>, <oleg@redhat.com>, <peterx@redhat.com>, <rppt@linux.ibm.com>, <jgg@mellanox.com>, <mhocko@suse.com>
Cc: <yishaih@mellanox.com>, <dledford@redhat.com>, <sean.hefty@intel.com>, <hal.rosenstock@gmail.com>, <matanb@mellanox.com>, <leonro@mellanox.com>, <linux-rdma@vger.kernel.org>, <linux-kernel@vger.kernel.org>, <stable@vger.kernel.org>, <akaher@vmware.com>, <srivatsab@vmware.com>, <amakhalov@vmware.com>
Message-ID: <1560199937-23476-1-git-send-email-akaher@vmware.com>

From: Ajay Kaher <akaher@vmware.com>

This patch is the extension of following upstream commit to fix
the race condition between get_task_mm() and core dumping
for IB->mlx4 and IB->mlx5 drivers:

commit 04f5866e41fb ("coredump: fix race condition between
mmget_not_zero()/get_task_mm() and core dumping")'

Thanks to Jason for pointing this.

Signed-off-by: Ajay Kaher <akaher@vmware.com>
Acked-by: Jason Gunthorpe <jgg@mellanox.com>
---
 drivers/infiniband/hw/mlx4/main.c |    4 +++-
 drivers/infiniband/hw/mlx5/main.c |    3 +++
 2 files changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/infiniband/hw/mlx4/main.c
+++ b/drivers/infiniband/hw/mlx4/main.c
@@ -1197,6 +1197,8 @@ static void mlx4_ib_disassociate_ucontex
 	 * mlx4_ib_vma_close().
 	 */
 	down_write(&owning_mm->mmap_sem);
+	if (!mmget_still_valid(owning_mm))
+		goto skip_mm;
 	for (i = 0; i < HW_BAR_COUNT; i++) {
 		vma = context->hw_bar_info[i].vma;
 		if (!vma)
@@ -1215,7 +1217,7 @@ static void mlx4_ib_disassociate_ucontex
 		/* context going to be destroyed, should not access ops any more */
 		context->hw_bar_info[i].vma->vm_ops = NULL;
 	}
-
+skip_mm:
 	up_write(&owning_mm->mmap_sem);
 	mmput(owning_mm);
 	put_task_struct(owning_process);
--- a/drivers/infiniband/hw/mlx5/main.c
+++ b/drivers/infiniband/hw/mlx5/main.c
@@ -1646,6 +1646,8 @@ static void mlx5_ib_disassociate_ucontex
 	 * mlx5_ib_vma_close.
 	 */
 	down_write(&owning_mm->mmap_sem);
+	if (!mmget_still_valid(owning_mm))
+		goto skip_mm;
 	mutex_lock(&context->vma_private_list_mutex);
 	list_for_each_entry_safe(vma_private, n, &context->vma_private_list,
 				 list) {
@@ -1662,6 +1664,7 @@ static void mlx5_ib_disassociate_ucontex
 		kfree(vma_private);
 	}
 	mutex_unlock(&context->vma_private_list_mutex);
+skip_mm:
 	up_write(&owning_mm->mmap_sem);
 	mmput(owning_mm);
 	put_task_struct(owning_process);
Commit	Line	Data
e4041a3f GKH	1	From akaher@vmware.com Thu Jun 20 16:25:33 2019
	2	From: Ajay Kaher <akaher@vmware.com>
	3	Date: Tue, 11 Jun 2019 02:22:17 +0530
	4	Subject: infiniband: fix race condition between infiniband mlx4, mlx5 driver and core dumping
	5	To: <aarcange@redhat.com>, <jannh@google.com>, <oleg@redhat.com>, <peterx@redhat.com>, <rppt@linux.ibm.com>, <jgg@mellanox.com>, <mhocko@suse.com>
	6	Cc: <yishaih@mellanox.com>, <dledford@redhat.com>, <sean.hefty@intel.com>, <hal.rosenstock@gmail.com>, <matanb@mellanox.com>, <leonro@mellanox.com>, <linux-rdma@vger.kernel.org>, <linux-kernel@vger.kernel.org>, <stable@vger.kernel.org>, <akaher@vmware.com>, <srivatsab@vmware.com>, <amakhalov@vmware.com>
	7	Message-ID: <1560199937-23476-1-git-send-email-akaher@vmware.com>
	8
	9	From: Ajay Kaher <akaher@vmware.com>
	10
	11	This patch is the extension of following upstream commit to fix
	12	the race condition between get_task_mm() and core dumping
	13	for IB->mlx4 and IB->mlx5 drivers:
	14
	15	commit 04f5866e41fb ("coredump: fix race condition between
	16	mmget_not_zero()/get_task_mm() and core dumping")'
	17
	18	Thanks to Jason for pointing this.
	19
	20	Signed-off-by: Ajay Kaher <akaher@vmware.com>
	21	Acked-by: Jason Gunthorpe <jgg@mellanox.com>
	22	---
	23	drivers/infiniband/hw/mlx4/main.c \| 4 +++-
	24	drivers/infiniband/hw/mlx5/main.c \| 3 +++
	25	2 files changed, 6 insertions(+), 1 deletion(-)
	26
	27	--- a/drivers/infiniband/hw/mlx4/main.c
	28	+++ b/drivers/infiniband/hw/mlx4/main.c
	29	@@ -1197,6 +1197,8 @@ static void mlx4_ib_disassociate_ucontex
	30	* mlx4_ib_vma_close().
	31	*/
	32	down_write(&owning_mm->mmap_sem);
	33	+ if (!mmget_still_valid(owning_mm))
	34	+ goto skip_mm;
	35	for (i = 0; i < HW_BAR_COUNT; i++) {
	36	vma = context->hw_bar_info[i].vma;
	37	if (!vma)
	38	@@ -1215,7 +1217,7 @@ static void mlx4_ib_disassociate_ucontex
	39	/* context going to be destroyed, should not access ops any more */
	40	context->hw_bar_info[i].vma->vm_ops = NULL;
	41	}
	42	-
	43	+skip_mm:
	44	up_write(&owning_mm->mmap_sem);
	45	mmput(owning_mm);
	46	put_task_struct(owning_process);
	47	--- a/drivers/infiniband/hw/mlx5/main.c
	48	+++ b/drivers/infiniband/hw/mlx5/main.c
	49	@@ -1646,6 +1646,8 @@ static void mlx5_ib_disassociate_ucontex
	50	* mlx5_ib_vma_close.
	51	*/
	52	down_write(&owning_mm->mmap_sem);
	53	+ if (!mmget_still_valid(owning_mm))
	54	+ goto skip_mm;
	55	mutex_lock(&context->vma_private_list_mutex);
	56	list_for_each_entry_safe(vma_private, n, &context->vma_private_list,
	57	list) {
	58	@@ -1662,6 +1664,7 @@ static void mlx5_ib_disassociate_ucontex
	59	kfree(vma_private);
	60	}
	61	mutex_unlock(&context->vma_private_list_mutex);
	62	+skip_mm:
	63	up_write(&owning_mm->mmap_sem);
	64	mmput(owning_mm);
65	put_task_struct(owning_process);